aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
66s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2023, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 4 IoCs

pid	Process
4876	voiceadequovl.exe
3280	voiceadequovl.exe
824	voiceadequovl.exe
1480	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3280 set thread context of 1480	3280	voiceadequovl.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
872	powershell.exe
872	powershell.exe
3280	voiceadequovl.exe
3280	voiceadequovl.exe
4432	powershell.exe
4432	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3280	voiceadequovl.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeIncreaseQuotaPrivilege	4588	wmic.exe
Token: SeSecurityPrivilege	4588	wmic.exe
Token: SeTakeOwnershipPrivilege	4588	wmic.exe
Token: SeLoadDriverPrivilege	4588	wmic.exe
Token: SeSystemProfilePrivilege	4588	wmic.exe
Token: SeSystemtimePrivilege	4588	wmic.exe
Token: SeProfSingleProcessPrivilege	4588	wmic.exe
Token: SeIncBasePriorityPrivilege	4588	wmic.exe
Token: SeCreatePagefilePrivilege	4588	wmic.exe
Token: SeBackupPrivilege	4588	wmic.exe
Token: SeRestorePrivilege	4588	wmic.exe
Token: SeShutdownPrivilege	4588	wmic.exe
Token: SeDebugPrivilege	4588	wmic.exe
Token: SeSystemEnvironmentPrivilege	4588	wmic.exe
Token: SeRemoteShutdownPrivilege	4588	wmic.exe
Token: SeUndockPrivilege	4588	wmic.exe
Token: SeManageVolumePrivilege	4588	wmic.exe
Token: 33	4588	wmic.exe
Token: 34	4588	wmic.exe
Token: 35	4588	wmic.exe
Token: 36	4588	wmic.exe
Token: SeIncreaseQuotaPrivilege	4588	wmic.exe
Token: SeSecurityPrivilege	4588	wmic.exe
Token: SeTakeOwnershipPrivilege	4588	wmic.exe
Token: SeLoadDriverPrivilege	4588	wmic.exe
Token: SeSystemProfilePrivilege	4588	wmic.exe
Token: SeSystemtimePrivilege	4588	wmic.exe
Token: SeProfSingleProcessPrivilege	4588	wmic.exe
Token: SeIncBasePriorityPrivilege	4588	wmic.exe
Token: SeCreatePagefilePrivilege	4588	wmic.exe
Token: SeBackupPrivilege	4588	wmic.exe
Token: SeRestorePrivilege	4588	wmic.exe
Token: SeShutdownPrivilege	4588	wmic.exe
Token: SeDebugPrivilege	4588	wmic.exe
Token: SeSystemEnvironmentPrivilege	4588	wmic.exe
Token: SeRemoteShutdownPrivilege	4588	wmic.exe
Token: SeUndockPrivilege	4588	wmic.exe
Token: SeManageVolumePrivilege	4588	wmic.exe
Token: 33	4588	wmic.exe
Token: 34	4588	wmic.exe
Token: 35	4588	wmic.exe
Token: 36	4588	wmic.exe
Token: SeIncreaseQuotaPrivilege	2324	WMIC.exe
Token: SeSecurityPrivilege	2324	WMIC.exe
Token: SeTakeOwnershipPrivilege	2324	WMIC.exe
Token: SeLoadDriverPrivilege	2324	WMIC.exe
Token: SeSystemProfilePrivilege	2324	WMIC.exe
Token: SeSystemtimePrivilege	2324	WMIC.exe
Token: SeProfSingleProcessPrivilege	2324	WMIC.exe
Token: SeIncBasePriorityPrivilege	2324	WMIC.exe
Token: SeCreatePagefilePrivilege	2324	WMIC.exe
Token: SeBackupPrivilege	2324	WMIC.exe
Token: SeRestorePrivilege	2324	WMIC.exe
Token: SeShutdownPrivilege	2324	WMIC.exe
Token: SeDebugPrivilege	2324	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2324	WMIC.exe
Token: SeRemoteShutdownPrivilege	2324	WMIC.exe
Token: SeUndockPrivilege	2324	WMIC.exe
Token: SeManageVolumePrivilege	2324	WMIC.exe
Token: 33	2324	WMIC.exe
Token: 34	2324	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 4876	4688	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	82
PID 4688 wrote to memory of 4876	4688	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	82
PID 4688 wrote to memory of 4876	4688	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	82
PID 4876 wrote to memory of 3280	4876	voiceadequovl.exe	87
PID 4876 wrote to memory of 3280	4876	voiceadequovl.exe	87
PID 4876 wrote to memory of 3280	4876	voiceadequovl.exe	87
PID 3280 wrote to memory of 872	3280	voiceadequovl.exe	90
PID 3280 wrote to memory of 872	3280	voiceadequovl.exe	90
PID 3280 wrote to memory of 872	3280	voiceadequovl.exe	90
PID 3280 wrote to memory of 5008	3280	voiceadequovl.exe	94
PID 3280 wrote to memory of 5008	3280	voiceadequovl.exe	94
PID 3280 wrote to memory of 5008	3280	voiceadequovl.exe	94
PID 5008 wrote to memory of 4432	5008	cmd.exe	95
PID 5008 wrote to memory of 4432	5008	cmd.exe	95
PID 5008 wrote to memory of 4432	5008	cmd.exe	95
PID 3280 wrote to memory of 824	3280	voiceadequovl.exe	97
PID 3280 wrote to memory of 824	3280	voiceadequovl.exe	97
PID 3280 wrote to memory of 824	3280	voiceadequovl.exe	97
PID 3280 wrote to memory of 1480	3280	voiceadequovl.exe	96
PID 3280 wrote to memory of 1480	3280	voiceadequovl.exe	96
PID 3280 wrote to memory of 1480	3280	voiceadequovl.exe	96
PID 3280 wrote to memory of 1480	3280	voiceadequovl.exe	96
PID 3280 wrote to memory of 1480	3280	voiceadequovl.exe	96
PID 3280 wrote to memory of 1480	3280	voiceadequovl.exe	96
PID 3280 wrote to memory of 1480	3280	voiceadequovl.exe	96
PID 3280 wrote to memory of 1480	3280	voiceadequovl.exe	96
PID 3280 wrote to memory of 1480	3280	voiceadequovl.exe	96
PID 3280 wrote to memory of 1480	3280	voiceadequovl.exe	96
PID 3280 wrote to memory of 1480	3280	voiceadequovl.exe	96
PID 1480 wrote to memory of 4588	1480	voiceadequovl.exe	98
PID 1480 wrote to memory of 4588	1480	voiceadequovl.exe	98
PID 1480 wrote to memory of 4588	1480	voiceadequovl.exe	98
PID 1480 wrote to memory of 2976	1480	voiceadequovl.exe	101
PID 1480 wrote to memory of 2976	1480	voiceadequovl.exe	101
PID 1480 wrote to memory of 2976	1480	voiceadequovl.exe	101
PID 2976 wrote to memory of 2324	2976	cmd.exe	102
PID 2976 wrote to memory of 2324	2976	cmd.exe	102
PID 2976 wrote to memory of 2324	2976	cmd.exe	102
PID 1480 wrote to memory of 3700	1480	voiceadequovl.exe	103
PID 1480 wrote to memory of 3700	1480	voiceadequovl.exe	103
PID 1480 wrote to memory of 3700	1480	voiceadequovl.exe	103
PID 3700 wrote to memory of 4252	3700	cmd.exe	105
PID 3700 wrote to memory of 4252	3700	cmd.exe	105
PID 3700 wrote to memory of 4252	3700	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:872
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3700
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:4252
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
75b0ef82c57daae6f6ba84aca13ba9a4

SHA1
d7acd8f00955863734a1ecdfb5c77b2024a27565

SHA256
66315be20ca7387c2b02badbef209a509c157c11949ec31cebb04c0be2a377b2

SHA512
13a5d44b381a3065178252498ab3a3443ebf98f69ad2d5f5409458d2325bb3df8225f2139cabf064b2dec68134049f9f55212c60ad7f09618575475cb567bffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
228.5MB

MD5
7030c63e320d6620a5ded13e84b400f3

SHA1
fa7b12e6af3bc713bbbed7ccbe48bc2cb85e8dc9

SHA256
1ea225d99a9153390bb7da5b187542ba257aba720b31d694e1ba3801958dede5

SHA512
a67ab69bccad67bca048aa623e3b519c14d4e838bbad89c0a05ca15cc3934617241e6dcbcc2a331ea09569536aae1defa9a59f57e2fa99298b32ec8738f57d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
225.6MB

MD5
9d0f59a1f7c0baeb22a5e25c646eafa6

SHA1
feb73ba9bfe1b3e6a24d684beb7563bcbcf51094

SHA256
160b4e3e256169b05cbedfe730403c3b2e51b88e536ebf26f852486a1d6fa10c

SHA512
efbdb734b226f4dd9a97e04594499887f5c4a9f613c9ecd0a16efe165c6af7ef628524f08197e6da954247f7b82ab931f0c985acabf5790409bbf20534d21ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
225.3MB

MD5
59d55733a0e778311a55293b2ca165dc

SHA1
387799a69ab7331a3d1b30e3b856d69f3480f7bf

SHA256
0b8374a8ee1bf6edef24911ceecb2e681930e5a267f356e2b0a83c74bf0d48ad

SHA512
e750ff7006dc66fa2fe740b34c352acda68f25e1ef8543628b5a76ef13e2cd28ab84445d3fd098c358566026a589a64c5ae6026b71dddfc00b7cffda103e2afc

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
224.6MB

MD5
65b82dbcadf7cd05cea481ea289759d7

SHA1
b9e95faf8d908a1895650a595f3e00adac320265

SHA256
54b83a7ed36bbe76578bf3b8525a9f2567568e9b4fbd10861ca4659427d52b7d

SHA512
55f5aa76228ebcbeac387c57f110ebad79e5bac809aeef8fce3961d0068c2e3bebbb69b99ee48a04d483218a0fc174ca8c51db939f1ee40f0b8de39bbef8e879

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
171.9MB

MD5
dba5de88bb6a9a825608f774af3f25aa

SHA1
512c52665b4e06b91ec58a676e01aef16b7ba016

SHA256
c9f3d39512291f8ca398c9af8b2671dc0d42d10052ecd3557aee637d583441f3

SHA512
fa9dd62cf097d6731a06534c1fcdac63ea815089112d4c0e9a66df6ce23b6a413c7db638793dc5a39cea2519e7507fe7e8a18bc861c8307598927c6b47dacc7c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
169.6MB

MD5
faad3523af43f51dfc3f429f57960424

SHA1
6c5914ca25458cb22782ac0bb0d9f6430cf67c6f

SHA256
d3cacedd33ffa891f59a20825d37f0ee03e08f971af875947d6bc2eb4ab26e39

SHA512
768945e1c632b5eefac8983869642c2019ad884e9462012506754f73c3733d470dab38c36765a4380dbf9be082c50c3a9cb07b790b248a57de47d1c3c874db22

Download Submit
memory/872-143-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/872-144-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/872-145-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/872-147-0x00000000066D0000-0x00000000066EA000-memory.dmp

Filesize
104KB

Download
memory/872-146-0x0000000007A70000-0x00000000080EA000-memory.dmp

Filesize
6.5MB

Download
memory/872-142-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/872-141-0x0000000004C60000-0x0000000004C96000-memory.dmp

Filesize
216KB

Download
memory/1480-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-174-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-154-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-159-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3280-139-0x00000000075D0000-0x00000000075F2000-memory.dmp

Filesize
136KB

Download
memory/3280-138-0x0000000000F10000-0x0000000001684000-memory.dmp

Filesize
7.5MB

Download
memory/4432-165-0x00000000075A0000-0x00000000075AA000-memory.dmp

Filesize
40KB

Download
memory/4432-164-0x0000000007360000-0x000000000737E000-memory.dmp

Filesize
120KB

Download
memory/4432-163-0x0000000074CD0000-0x0000000074D1C000-memory.dmp

Filesize
304KB

Download
memory/4432-162-0x0000000007380000-0x00000000073B2000-memory.dmp

Filesize
200KB

Download
memory/4432-168-0x00000000077D0000-0x0000000007866000-memory.dmp

Filesize
600KB

Download
memory/4432-171-0x0000000006060000-0x000000000606E000-memory.dmp

Filesize
56KB

Download
memory/4432-172-0x0000000007750000-0x000000000776A000-memory.dmp

Filesize
104KB

Download
memory/4432-173-0x0000000007730000-0x0000000007738000-memory.dmp

Filesize
32KB

Download